Vulnerability Services - OCT

Our Customer TermsPage 1 of 16

Vulnerability Services

Contents

Click on the section that you are interested in.

1About this Part

2Vulnerability Services

Availability

What are the Vulnerability Services?

Vulnerability Scan

Optional Vulnernability Service Add-on

Vulnerability Assessment

3Vulnerability Scan

4Vulnerability Service Add-ons

Internal Scans

Additional Web Application Scans (WAS)

Zero-Day Scans

Consultant Reporting

5Vulnerability Assessment

6Online service portal

Online service portal

Qualys platform

Access to Qualys platform

Licence

Usernames and passwords

Notices

7Scans and reports

8Scanners

Dedicated hardware

Virtual scanner

9Additional requirements

Internal use

Authority to scan

10Term and termination

Termination

11Telstra Managed Security Services

12General

Professional services

Additional reporting

Location of scanning and storage

Changes to delivery mechanism

Planned maintenance

Liability

Intellectual property rights

13Fees and charges

Payments and variations

Scanning restictions

Vulnerability Scan charges

Additional Web Application Scan Charges

Internal Scan Charges

Consultant Report charges

Vulnerability Assessment Service charges

Professional services charges

14Helpdesk

15Service levels

About service levels

Measurement of service levels

Vulnerability Service - Platform Availability

16Special meanings

Vulnerability Services was last changed on 14 November 2014.

Our Customer TermsPage 1 of 16

Vulnerability Services

Certain words are used with the specific meanings set out in this Vulnerability Services section and in the General Terms of Our Customer Terms.

1About this Part

1.1This is Our Customer Terms for Vulnerability Services. Provisions in other parts of the General Terms of Our Customer Terms, may apply to your Vulnerability Service.

See clause 1 of the General Terms of Our Customer Terms for more detail on how the various sections of Our Customer Terms should be read together.

1.2This part only applies if you have one or moreVulnerability Services.

1.3If there is an inconsistency between this part and the other parts of the General Terms of Our Customer Terms, this part prevails to the extent of the inconsistency.

2Vulnerability Services

Availability

2.1The Vulnerability Services are not available to Telstra Wholesale customers or for resale or supply to a third party.

What are the Vulnerability Services?

2.2Telstra’s Vulnerability Services help you identify IT systems in your external or internal network that might be vulnerable to known threats from the Internet by scanning your network for known vulnerabilities and reporting on security vulnerabilities in the scanned network.

2.3The service scans your nominated IP addresses and web applications (network assets) against a list ofknown vulnerabilities and produces a report about the security vulnerability of those network assets.

Vulnerability Scan

2.4You may apply fortheVulnerability Scan service.

Optional Vulnernability Service Add-on

2.5You may also apply for the following optional Vulnerability Service Add-onfeatures:

(a)Internal Scans

(b)Additional Web Application Scans

(c)Zero-Day Scans

(d)Consultant Reporting

Vulnerability Assessment

2.6You may request a Telstra Security Consultant to conduct one or more of the Vulnerability Services on your behalf and provide a customised report.

Minimum term

2.7You must obtain your Vulnerability Service for a minimum term of 12 months or such longer term as agreed.

3Vulnerability Scan

3.1The Vulnerability Scan is scan of your nominated public facing IP addresses and web applications conducted remotely from the Internet (external scan) and assessed against a list of known vulnerabilities. A report of this assessment is provided to you.

3.2The Vulnerability Scan consists of the following scans of your nominated network assets:

(a)Vulnerability Management (VM) scan

(b)PCI Compliance (PCI-DSS) scan

(c)Web Application Scans (WAS)

Vulnerability Management (VM) scan

3.3The Vulnerability Management (VM) scan allows you to scan your nominated network assets for listed known vulnerabilities which assists you in discovering key security vulnerabilities and latest malware.

PCI Compliance scan

3.4The PCI Compliance (PCI Compliance) scan allows you to scan your nominated network assets for compliance with the current version of the Payment Card Industry Data Security Standard (PCI-DSS)which regulates how credit card information is stored and used.

3.5The Payment Card Industry Data Security Standard is an information security standard for organisations that handle cardholder information from debit and credit cards. The standard is designed to reduce incidents of credit card fraud by providing a compliance framework that sets a baseline compliance level.

3.6A PCI Compliance scan does not constitute validiation of your compliance with PCI-DSS. You are still required to perform validation of PCI-DSS as it applies to you.

Web Application Scans (WAS)

3.7The Web Application Scan (WAS) scan allows you to scan your nominated web applications (including Internet URLs) to enable the detection of a number of application vulnerabilities including SQL injection and cross site scripting.

3.8The Web Application Scan (WAS) assists discovery of official and “unofficial” applications residing on your network. WAS detects applications that are vulnerable to issues including the OWASP Top 10, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection.

3.9The Web Application Scan providesautomated application penetration testing applications across a list of known vulnerabilities.

4Vulnerability Service Add-ons

4.1Telstra’s Vulnerability Service Add-ons extend the capabilities of your Vulnerability Scan.

4.2You must acquire a Vulnerability Scan in order to get a Vulnerability Service Add-on.

4.3Other than the Consultant Report, if you select a Vulnerability Service Add-on, you must get this for the same period as your Vulnerability Scan.

Internal Scans

4.4The Internal Scan is a scan of your nominated internal IP addresses and web application network assets conducted remotely using dedicated hardware or a virtual scanner inside one or more of your network segments (internal scan) and assessment against a list ofknown vulnerabilities. A report of this assessment is provided to you.

4.5The Internal Scan conducts a Vulnerability Management (VM) scan on your nominated network assets.

4.6We will provide you with any dedicated hardware scanner or virtual scanner(scanner) required to conduct an internal scan as described inclause8.

4.7You have the option to select a separate Internal Scan report, or request a single combined Internal Scan and Vulnerability Scan report.

Additional Web Application Scans (WAS)

4.8For your Vulnerability Scan, you may apply for extra Web Application Scans (WAS) in addition to the included number of Web Application Scans in your selected Vulnerability Scan package.

Zero-Day Scans

4.9For your Internal Scan, you may apply for a Zero-Day Scan in addition to the Internal Scan.This feature will enable you to identify vulnerable applications and provide you with the opportunity to quarantine it from the network until a patch or update is supplied by the developer.

4.10The Zero-Day Scan allows you to scan your network assets for “zero-day”vulnerabilities based on Verisign iDefense. This scan provides a check of your applications and operating system against a list of zero-day vulnerabilities. Zero-day vulnerabilities are newly discovered vulnerabilities that application and operating system developers have not had time to address and patch. Once a patch is available, a vulnerability is no longer classed as a zero-day vulnerability.

Consultant Reporting

4.11For your Vulnerability Scan and Internal Scan, you may apply for a Telstra Security Consultant to examine your report. The consultant reviews the output of your reportand assists you to interpret the results and provides its own report. The Telstra Security Consultant’s services are provided as an Optional Service under Security Consulting Services section of the OCT. Charges for this reporting is set out in this document.

5Vulnerability Assessment

5.1You may request a Telstra Security Consultant to conduct one or more of the Vulnerability Services on your behalf, consult with you about your security objectives and priorities and provide a customised report. The Vulnerability Assessment is provided on the terms of the Optional Service under the Security Consulting Services section of the OCT.

6Online service portal

6.1Unless specified otherwise, the Vulnerability Services are requested and carried out via a self service portal.

Online service portal

6.2We will provide you with access to an online portal accessible through the Internet to configure, manage andrequest Vulnerability Services and access scan reports. We will provide you with means of authentication to enable you to access this online portal.

6.3You are responsible for ensuring that you have a connection to the Internet to enable you to use the online service portal.

Qualys platform

6.4The scans are conducted through the online service portal using applications that are hosted on a platformby Qualys Inc (Qualys) and, other than for Internal Scans, you will not be provided with any software.

Access to Qualys platform

6.5You must appoint an account administrator to manage the portal and be your single point of contact in relation to it. You must nominate users that may login (portal users) and users that may review and respond to messages (profile users). You are responsible for the use of the portal (including the platform) by your users, and any messages sent by your users, regardless of your relationship with those users.

6.6You may change the number of users and the availability of service functionality to users at any time by using the web management tools. You acknowledge that you are responsible for configuring the portal and platform for your users. You are responsible for ensuring that all user information is accurate and up-to-date.

Licence

6.7Your access to the online portal is provided on a limited, non-exclusive, non-transferrable non-sublicenceable basis, and onlyfor the purpose of using the Vulnerability Services.

Account

6.8You may only use your account to conduct scans of the entity on the name of the account, or any entities within the same corporate group. If you wish to conduct scans for other entities, you must obtain and use a separate account in the name of that other entity.

Usernames and passwords

6.9You must ensure that any usernames, passwords are protected from unauthorised use, and are responsible for any acts or charges incurred through misuse, unauthorised use or failure to comply with guidelines provided to you. You must immediately notify us if you become aware of any unauthorised use.You must indemnify us for all claims and liabilities associated with unauthorised use of your usernames and passwords.

Notices

6.10Notices relating to the Vulnerability Service will be available on the alert message on the online portal.

7Scans and reports

7.1Your Vulnerablity Scan report will contain the detected vulnerabilities in order of importance for the scanned network assets nominated by you.

7.2Unless otherwise stated, each Vulnerability Scan and Internal Scan will produce a separate report.

Configuration of your network

7.3The Vulnerability Services will only scan those network assets which are nominated by you and which you (and your system) allow to be scanned. You are responsible for identifying and nominating the network assets to be scanned, and for configuringyour systems to allow those network assets to be scanned (eg. removing firewalls).

Currency of scan reports

7.4Scan reports represent a point in time scan of your network assets against a list of known vulnerabilities or standards (as applicable) at the time the scan was conducted. The list of known vulnerabilities and standards is continually updated, and this may impact on the currency of your scan reports. You are responsible for conducting your scans at appropriate intervals based on your security needs.

Regularity of scans

7.5You may conduct as many scans as you wish for the number of network assets included in your package. You are responsible for setting up the regularity and timing of your scans.

Accessing reports

7.6Scan reports are generally available via the online service portalonce you have conducted the scan. For a Vulnerability Assessment, we will provide the report directly to you.

8Scanners

8.1If we provide you with dedicated hardware or a virtual scanner to conduct an Internal Scan, we will provide such number of scannersas included in your subscription package. You may licence or rent additional scanners as required.

8.2We will procure our supplier to provide you with the scanner, and you agree to comply with the terms of use in this clause.

8.3The scanner contains software enabling the supplier to manage and update the scanner remotely, including the ability to cancel or discontinue scanning via the scanner.

8.4Unless otherwise agreed, you are required to install the scanners yourself.

Dedicated hardware

8.5We grant you a limited, non-exclusive, non-transferable, non-sublicenseable right to use the software embedded in the dedicated hardware in executable code form only to operate the hardware in connection with the Vulnerability Service.

8.6Title to the hardware does not pass to you. You must return any supplied hardware, at your cost and in good working order (subject to fair wear and tear), to us within 7 days of expiration or termination of your service. If you do not, we will charge you for it.

8.7You are responsible for any damage to the hardware caused by you or a third party.

Virtual scanner

8.8The virtual scanneris licensed to you on a limited non-exclusive, non-transferrable, non-sublicensable license to: (i) install and use the virtual scanner for the number of your nominated network assets for your internal business purposes and (ii) use and reproduce the relevant documentation provided for use in operating the virtual scanner and (iii) move the virtual scannerto a different virtualization platform or make one copy of the virtual scannersolely for backup or archival purposes.

8.9Installation of the virtual scanneron more than one virtualization platforms may require the purchase of additional subscription licenses, which we may give at our discretion, and additional licences from your third party suppliers, which you are responsible for obtaining.

8.10You may make copies of the relevant documentation in human readable form, provided that such copies are (a) complete and not edited or abridged and (b) include all copyright and other proprietary information and notices contained in the original.

8.11The virtual scannermay contain software (open source software) that is subject to a license that permits users to modify these portions and redistribute the modifications (open source license). Your use of the open source software may be subject to the GNU General Public License V2 (“GPL”) or the GNU Lesser General Public License (“LGPL”). Your use, modification and redistribution of the open source software is governed solely by the terms and conditions of the applicable open source license which can be found at ( A list of the open source software and the applicable open source licenses including the relevant source code can be obtained by sending an email to us.

Scanners generally

8.12You must not to reverse engineer, decompile, or disassemble any hardware or software that is embedded in or related to the Service, except as specified in this document.

8.13You may not make any alteration, addition or modification to scanners, or open, disassemble or tamper with it in any fashion, or transfer possession to any third party.

8.14Intellectual property in the dedicated hardware or virtual scanneris our property or the property of our suppliers, and does not pass to you.

9Additional requirements

Internal use

9.1You must only use the Vulnerability Services and any reports generated for your own internal use. Intellectual property in reports remains with us or our supplier (as applicable).

No fixes included

9.2The Vulnerability Services scans only detect the relevant vulnerabilities and provide a report. The services do not test, exploit, manage, rectify or fix those vulnerabilities. You are responsible for taking any additional action required to address vulnerabilities identified in scan reports.

Known vulnerabilities

9.3Scans of known vulnerabilities are based on a list of known vulnerabilities that are identified using data gathered from a number of sources, including major organisations at the time of the scan. Scansdo not detect all known vulnerabilities that are known at the time of the scan.

Authority to scan

9.4You represent to us and agree to only scan network assets to which you have been assigned by a recognised authority or have been authorised in writing by the relevant owner to scan. You may scan the network assets of a person within the same corporate group provided you have the relevant authority in writing. Other than this, you must not scan network assets of another party. You indemnify us for a breach of this clause 9.4.

Service interruption and back-up

9.5You acknowledge and agree that:

(a)the scans may expose vulnerabilities or the presence of malware or other vulnerabilities and in some circumstances could result in the disruption of services or your network assets; and

(b)some optional features, including internal scans, involve substantial risk of Denial of Service (DOS) attacks, loss of service, hardware failure and loss or corruption of data. You are responsible for backing up all data contained in or available through the devices connected to the nominated network assets.We will not be liable for any loss of data that occurs during the conduct of the services.

Special Requirements

9.6We will tell you of any restrictions or specific requirements that you will need to meet before we can provide the VulnerabilityServices to you at the time you apply for your service. These requirements are in addition to any requirements specified in this section of Our Customer Terms or the Vulnerability Scan Responsibility Guide.

Trial

9.7We may provide a trial of the Vulnerability Services to you for an agreed period. If we provide a trial, the terms set out in this document apply for the trial.

10Term and termination

10.1Upon the expiration of the minimum term, your Vulnerability Services we will cease to provide you with Vulnerability Services unless you renew for a term of not less than 12 months at least 14 days prior to the end of your minimum term,